Cisco Community
English
Register
Welcome Cisco Designated VIP 2021 Class in the 10th Year Anniversary of the Program -- CHECK THE LIST
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
7712
Views
0
Helpful
3
Replies
Highlighted
whitemike
Beginner
Beginner
‎05-03-2012 01:26 PM
‎05-03-2012 01:26 PM

How do I configure a cisco 1131 AP to use WPA2 enterprise and authenticate to Active Directory

I have a Win2008 server set up as a radius server (192.168.32.71) and a stand alone AP (192.168.201.9) The AP is config is below:

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

enable secret 5 $1$IdUV$UvE2IJTNzHX6mW6Mmh3At0

!

ip subnet-zero

ip domain name TKGCORP.local

ip name-server 192.168.32.71

!

!

aaa new-model

!

!

aaa group server radius rad_eap

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad_eap1

server 192.168.201.9 auth-port 1812 acct-port 1813

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login eap_methods1 group rad_eap1

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

!

dot11 ssid ka_test

   vlan 201

   authentication open eap eap_methods1

   authentication network-eap eap_methods1

   guest-mode

!

power inline negotiation prestandard source

!

!

username Cisco password 7 112A1016141D

username tkgadmin privilege 15 password 7 022D167B06551D60

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 201 mode ciphers aes-ccm tkip

!

encryption key 1 size 128bit 7 673B0AA56FCB4E630D8E4856427E transmit-key

encryption mode wep mandatory

!

broadcast-key change 150

!

!

ssid ka_test

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.201

encapsulation dot1Q 201

no ip route-cache

bridge-group 201

bridge-group 201 subscriber-loop-control

bridge-group 201 block-unknown-source

no bridge-group 201 source-learning

no bridge-group 201 unicast-flooding

bridge-group 201 spanning-disabled

!        

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

!

encryption key 1 size 128bit 7 B711059074E30B1E1D4E3EC038BB transmit-key

encryption mode wep mandatory

!

broadcast-key change 150

!

speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

hold-queue 160 in

!

interface FastEthernet0.201

encapsulation dot1Q 201

no ip route-cache

bridge-group 201

no bridge-group 201 source-learning

bridge-group 201 spanning-disabled

!

interface BVI1

ip address 192.168.201.9 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

!

radius-server local

  no authentication eapfast

  no authentication mac

  nas 192.168.201.9 key 7 010703174F

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 192.168.32.71 auth-port 1645 acct-port 1646 key 7 0835495D1D

radius-server host 192.168.201.9 auth-port 1812 acct-port 1813 key 7 0010161510

radius-server vsa send accounting

!

control-plane

!

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

!

end

Labels:
0 Helpful
Reply
3 REPLIES 3
Highlighted
Stephen Rodriguez
Advisor
Advisor
‎05-03-2012 01:29 PM
‎05-03-2012 01:29 PM

take a look at the following configuration guide.  Don't worry that it says ACS, just follow the RADIUS pieces.

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
0 Helpful
Reply
Highlighted
whitemike
Beginner
Beginner
In response to Stephen Rodriguez
‎05-08-2012 08:22 AM
‎05-08-2012 08:22 AM

Sorry for the late reply Steve. The link you provided was extremely helpful here is what my config  looks like now:

ersion 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

enable secret 5 $1$7vHS$YWCMbrlAgDUayKlOHhMlF1

!

ip subnet-zero

ip domain name TKGCORP.local

ip name-server 192.168.32.71

!

!

aaa new-model

!

!

aaa group server radius rad_eap

server 192.168.32.71 auth-port 1645 acct-port 1646

!        

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

!

dot11 ssid wap_test

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa

   guest-mode

   infrastructure-ssid optional

!

power inline negotiation prestandard source

!

!

username Cisco password 7 047802150C2E

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

ssid wap_test

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

hold-queue 160 in

!

interface BVI1

ip address 192.168.201.9 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 192.168.32.71 auth-port 1645 acct-port 1646 key 7 071B245F5A

radius-server vsa send accounting

!

control-plane

!

bridge 1 route ip

!

!        

!

line con 0

line vty 0 4

!

end

I get a login screen but it will not let me connect, on my radius server I have it set to allow a group that my username is in. Here are some debugs from when I try to connect to the AP:

ap#debug aaa  authentication

AAA Authentication debugging is on

ap#

*Mar  2 01:11:53.284: AAA/BIND(00000006): Bind i/f 

*Mar  2 01:11:53.355: AAA/AUTHEN/PPP (00000006): Pick method list 'eap_methods'

*Mar  2 01:11:54.556: %DOT11-7-AUTH_FAILED: Station c0cb.3835.a102 Authentication failed

*Mar  2 01:11:55.280: AAA/BIND(00000007): Bind i/f 

*Mar  2 01:11:55.404: AAA/AUTHEN/PPP (00000007): Pick method list 'eap_methods'

*Mar  2 01:11:56.349: AAA/BIND(00000008): Bind i/f 

*Mar  2 01:11:56.525: AAA/AUTHEN/PPP (00000008): Pick method list 'eap_methods'

*Mar  2 01:11:57.300: AAA/BIND(00000009): Bind i/f 

*Mar  2 01:11:58.070: AAA/BIND(0000000A): Bind i/f 

*Mar  2 01:11:58.812: AAA/BIND(0000000B): Bind i/f 

*Mar  2 01:12:15.470: AAA/AUTHEN/PPP (0000000B): Pick method list 'eap_methods'

*Mar  2 01:12:15.492: %DOT11-7-AUTH_FAILED: Station c0cb.3835.a102 Authentication failed

ap#undebug all

All possible debugging has been turned off

0 Helpful
Reply
Highlighted
Stephen Rodriguez
Advisor
Advisor
In response to whitemike
‎05-08-2012 08:37 AM
‎05-08-2012 08:37 AM

for the server NPS should be listening on 1812/1813 ( I believe it will still work with 1645/1646 if you allowed then in the setup).  What does the system log on the NPS server say?  There should be an NPS error as to why it rejected the user

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
0 Helpful
Reply
Latest Contents
IOS-XE 17.4.1 Blog
Created by SAY on 01-26-2021 12:19 AM
0
5
0
5
We are pleased to announce the immediate availability of the IOS-XE release 17.4.1 for the Catalyst Wireless Controllers. The new code is now posted on the CCO and can be found at this link: https://software.cisco.com/download/home/286316412/type/28204647... view more
How to manually connect a Cisco WLC to Cisco DNA Center for ...
Created by Richard Jang on 01-14-2021 05:50 PM
0
15
0
15
Table of Contents FlexConnect IP Overlap across different SitesEWC Wireless Mobile App Update 1.1.2StealthWatch Cloud integration EWCDay 0 CLI EnhancementsRogue enhancementsEnhanced Called-Station IDRADIUS Vendor-Specific AttributesHA Enhancements – RMI O... view more
IOS-XE PSK Blog
Created by SAY on 12-03-2020 07:33 AM
1
5
1
5
Securing devices without 802.1X   PSK (Pre-Shared-Key) WLAN is widely used for consumer & enterprise IoT onboarding as most of IoT device doesn’t support 802.1X. While PSK WLAN provides an easy way to onboard IoT, it also introduces challenges as... view more
Lightweight AP - Fail to create CAPWAP/LWAPP connection due ...
Created by timsmith on 12-02-2020 01:19 PM
39
55
39
55
Problem Description: Due to the certificate expiration, any new Control and Provisioning of Wireless Access Points (CAPWAP) or Light Weight Access Point Protocol (LWAPP) connection will fail to establish. The main feature that is affected will be the Acce... view more
Cisco WiFi Overkill for Homes
Created by quelopera58 on 11-23-2020 10:10 AM
3
5
3
5
Looking to provide wifi overkill in my home. It's two story with a basement. I am thinking two aironet 1600's. What do you think?Let me know if there is some other model I should be looking at.
Content for Community-Ad